[unisog] Anyone doing large scale NAT for their campus?

Mitch Collinsworth mitch at ccmr.cornell.edu
Mon Sep 23 16:38:35 GMT 2002

On Mon, 23 Sep 2002, Scott Genung wrote:

> It can be argued that NAT undermines the end-to-end model of the Internet.
> However (my opinion), that is only a religious argument. NAT does not
> really (appear) to impact file sharing applications because translations
> already exist by the time a user is seeking content from a host on your
> network because this host already registered itself with an external
> directory (thereby creating the translation). As long as there is flow from
> the private address source, the translation will remain valid and the
> content of a private address host can be reached from outside your network.
> Again, this can be controlled to a limited degree by how long you allow
> inactive translations to remain cached.

Your argument seems to be based on the specific characteristics of
existing applications.  I.e. the private-addressed machine initiated
the connection, so everything will just work.  This argument works
fine for applications that fit this model.  It breaks down for those
that don't.

Two examples:

a) Microsoft Netmeeting

b) Sidecar:  Sidecar is something developed by a coalition of universities
for enabling kerberos authentication for applications that don't have
already kerberos built-in.  The upshot of it is it runs a service on every
user machine on port 913.  Put the machine behind a NAT and sidecar doesn't
work and applications that depend on it fail.

There is a great argument to be made that NATs are necessary in the IPv4
world of today.  But claiming that they don't break applications and that
end-to-end is just a religious argument is rediculous.


More information about the unisog mailing list